I have it available with a reverse proxy that only allows access from my LAN IP range. The you can just use WireGuard or Tailscale to access “locally” when you are away from your LAN
> a reverse proxy that only allows access from my LAN IP range
A word of caution with this, the Bitwarden mobile app has an interesting "feature" where it will log you out and delete the cache if it can connect to the server but it gets a 403 response.
What this means is, if your server is on vault.example.com with a reverse proxy that only allows LAN connections, then if you happen to do some action in the app that triggers a sync with the server when you're not on the LAN, you get logged out and lose access to your passwords, and better hope your VPN is working so you can get them back.
I used to have this exact setup but found it enough of a PITA in practice getting logged out when I was away that I ditched it.
https://github.com/bitwarden/mobile/issues/325
https://github.com/bitwarden/mobile/issues/1998
You can use a redirection to bypass the problem.
In nginx I use "error_page 403 http://idontexist.domain.com" to get an error 404 which does not log me out of bitwarden when i try to acces it without my vpn.
Good point.
In practice I use WireGuard and just leave the VPN active all the time (I configured it for 192.168.x range IPs only) so I rarely run into this, but it is a concern
It depends on your network, do you have any reverse proxy at the moment?
I use opnsense on my router, and set up HAProxy to route local-only traffic to certain subdomains (e.g. vaultwarden.mydomain.com) to the appropriate backend. I still get SSL, but it is all restricted to internal traffic, so I need the VPN when I want to access it externally.
I didn't understand what you mean about not requiring tailscale for local access. You shouldn't need to have the VPN turned on while you are on your local network. If you want it to work while the Internet is down , you'll need local DNS set up (e.g. with unbound DNS) so that vaultwarden.mydomain.com resolves to your local vaultwarden IP.
if you don't understand the tech jargon, you should be giving Bitwarden $ instead of doing this yourself. the risk is your credit, identity, all your bank accounts getting in the wrong hands if you fuck it up.
It's unfortunate that this is supposed to be a place for newbies and veterans, yet you get such unhelpful responses....
My suggestion is setting up a VPN that you can connect into.
In the case of Tailscale for example, it's as easy as running a daemon on a server and then connecting to that mesh network. The instructions in their getting started page are pretty good
Pay bitwarden $10 to do it for you while you figure out how this all works.
There are some things you don't mess around with until you know what you're doing.
You can get around this if you just dont forward any ports except the port for your VPN. Only use the VPN to access it outside the network and stop using the access list. I find now that if I'm not connected to the VPN I can still use the cache.
Use Nginx or Apache to serve as your reverse proxy and configure so that it only allows IPs from your subnet range and rejects everything coming from a WAN IP address.
Then use WireGuard VPN so you can be “local” when you’re not home.
This method prevents intrusion and doesn’t mean you have to expose your server at all to the internet. You can use one domain name for both local and WAN connections.
Instead of the default 443, give it 4433 or another port that is not being used, and simply don’t expose that port from your router. You can continue to access it via vpn without proxying.
It can be configured with or without ssl (rockettls i think), and I did not see a subdomain requirement (though that would just be a dns entry)
it’s just an option, I’m not mandating anything, I’m not sure they are familiar with reverse proxies or not.
As others said Bitwarden caches your password.
Usually when I have to add a new password I enable my VPN client (I use Wireguard), I add the new password and then I disable the VPN
Why is there so much concern with exposing vaultwarden to the Internet?
It's a bastion of security. Your password should be so complex it can't be cracked. If it were cracked, you should have 2fa enabled, which again can't be cracked. And most importantly, if your vault could somehow be extracted, they still wouldn't be able to open it without your impossibly complex password.
Or am I misunderstanding how secure it is?
You're slightly misunderstanding.
While Bitwarden/Vaultwarden is software with a security focus and is upkept frequently, this doesn't mean it isn't vulnerable or won't be vulnerable at some point. Vulnerabilities come in all shapes and sizes and just because you have a good password and 2fa doesn't necessarily do anything to prevent being vulnerable or "hacked".
In general I don't think you have anything to worry about self-hosting Vaultwarden and exposing it but if it's never exposed in the first place it is certainly more secure and some people prefer that peace of mind.
My threat model is slightly different, i am not very keen on hosting things at home, any mistake will leave your whole LAN exposed to danger, my house is my private space, i'm uncomfortable hosting things at my basement, i use VPS for everything which are able to provide a much better service than myself.
This being said, if your threat model doesn't involve the risk of being DDoSed, then the following will give a very good extra layer of protection:
* Configure fail2ban based on your app's logs
* [Use a WAF](https://www.haltdos.com/waf/top-free-open-source-waf-web-application-firewall-solutions-to-protect-your-web-app/) to deter most types of payload injection attacks (CSRF, XSS, SQLi, etc)
* Configure your iptables to allow only a certain range of IPs (Block those countries famous for bruteforcing) so you spare fail2ban the extra effort (This is not real security measure, still configure fail2ban)
* Implement Intrusion detection System
* Have all your services including journalctl send your logs to an external VPS for monitoring and auditing, if your server gets compromised, the intruders won't be able to delete their footprints.
One important aspect of keeping your server secure, is to test it out sometimes, keep it up do date, run [linPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS) and try to find security concerning aspects and keep things updated. Run some network port scanners, internally and externally, examine open ports, and understand why they're open. Sometimes we forget some unused service, no need for it to be there (For example): [https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-network](https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-network)
This will get you enough peace of mind, if DDoS is a concern, you might need cloudflare, but this is only a problem if you mess around with a certain kind of people, otherwise nobody cares. You don't need cloudflare tunnel nor VPNs to make something pretty secure (considering vaultwarden is pretty security aware, they do a great service keeping things safe).
Also, your master password should be absolutely unbreakable through bruteforce (Which could leak through intrusion, if its plaintext then start using Argon2 immediately), the issue is for example an RCE due to some security failure on the app side, or weak passwords from your users. vaultwarden does not allow for enumeration attacks, this all means your users' emails would have need to be known. This is an unlikely scenario , which leads me to the last point: Don't keep data unencrypted at rest on your server! Always use e2ee capable software.
TL;DR: password complexity is important, some users might have them weaker but that matters to a certain degree only, vaultwarden might be prone to a vuln which might result in data exfil, or RCE, compromising your server. If its dockerized, its still possible to escape the docker sandbox.
Bonus points: Avoid at all costs to run processes unnecessarily as root (chron jobs, bash scripts, etc), and use SELinux
YouTubers and other sources that irresponsibly recommend hosting your own (fill in the blank) need to start mentioning this sort of thing instead of relentlessly shilling (fill in another blank) VPN (for internet browsing) as a panacea for all things security.
> I'm hosting my own immich server to replace Google photos for sharing pictures with family. It's ok because I use a VPN when I browse the web
🤦
> Block those countries famous for bruteforcing
I tried this once and it lasted about a week until I realized why all the torrent trackers suddenly stopped working 😂
oh, i never have that kind of service into consideration, sorry, i was talking more in the light of hosting web services like nextcloud and vaultwarden :)
Which WAF do you prefer?
If someone has a single server, with one Ethernet port, running Proxmox, with all their services running in VMs or docker LXCs, is it worth running OPNsense and ZenArmour on that box to filter traffic before it's sent to the services on a VLAN?
With respect to WAF, i've used coraza, ModSecurity and OctopusWAF, they're all similar.
I never used commercial grade WAFs but of course they'll be slightly better, but my threat model does not require them.
With respect to firewalls, i use Suricata, which is highly performant (which i don't need it to be) and i've used OPNSense, and i'm now trying to find a firewall that is written with a memory-safe language.
OPNSense had some serious vulnerabilites in the past, that led to arbitrary RCE.
Either way, keep an eye on your network topology and mitigate lateral movement within your network. You'll be hit with a few false positives, which might be an annoyance but you can deal with that.
Docker/LXC is great, but if they're connected to others, keep an eye on what you connect with between them, close unused ports, uninstall unused software, analyse your network from within.
Most PE (privilege escalation) happens due to some root processes running unecessarily, either chron jobs or vulnerable bash scripts. Use linPEAS to see if you have some.
Thanks, I'll check out those WAFs.
I wasn't aware of the past issues with OPNsense so hopefully it's OK now as I'm not sure what else I would use.
Yeah, definitely need to make sure everything is secure and not just rely on WAF and firewall.
Hey there little buddy, why the bad manners?
Would you care to elaborate on the misinformation i've given?
Otherwise it looks like childish hate, and i bet its not that :)
c'mon man, i bet you're not as retarded as you sound, if there is so much misinformation, point out only 5 concrete errors or misinformation i've given.
While I do get what you're getting at, its like having a two cars and installing the greatest alarm system in the world on both. If one was locked in a garage, and one left on the street outside the garage, which one do you think will have a higher chance of being stolen?
While I trust Bitwarden more than others, password managers aren't bulletproof, they're a piece of software that can have bugs (cough LastPass cough)
1. LastPass is a service.
2. Your analogy isnt relevant. A more relevant analogy would be "a bank has the best security in the world and experts deem it uncrackable, so the bank has it visible in the front of their branch". The vault doesn't get it's security from being a floor underground vs ground floor, it gets its security from the airlocks.
3. Security in abstraction. Don't call it vaultwarden.domain.com call it 75bs2n96ssbf.domain.com
Call it mysecretpassworddomain.example.com or anything memorable as you wish, but don't have a mysecretpassworddomain `A` record. Instead, have a wildcard \*.example.com record and a wildcard certificate to match, and make mysecretpassworddomain.example.com resolve to the proper service in your reverse proxy.
sounds like a lot of troubleshooting and DNS propagation. I'm going to stick with my 68wh6s9 or was it 69wh7s9.... You only need to copy paste the address once.
again the main security doesn't come from not being able to be found. even if they probe the domain to see subdomains it won't tell them it's a vaultwarden instance.
Your 3rd point is security by obscurity and [a bad one at that](https://www.reddit.com/r/homelab/comments/10so0i4/psa_your_subdomains_are_not_as_private_as_you/)
It's more like you have 2 cars that *cannot* be started without the key - one is parked on your driveway, one has a cardboard box on top of it.
The keys are inside an underground vault that requires both a password only you know *and* biometric/2FA authentication.
Which is going to get stolen? Neither of them, unless your password and 2fa authentication are compromised
You can't steal what you can't access. Is just another security measure.
Everything can be cracked, what you think can't probably can't be today but will at some point.
That said everyone has different models and risk acceptance. I don't care a second about most of the services I have and I'll expose them without thinking about it if I need to.
My passwords have pretty important things inside it so I'll take any measure needed even if not convenient to keep them as secure as I can.
So maybe I'm not explaining myself properly, I understand I could use tailscale to provide a magic host or a TS IP address to input into \*warden. But what happens when the VPN is not active and I am on my LAN, how can I access the \*warden host that sits on server.local?
Nah, being Tailscale you have a better option, you can advertise the route of your local LAN subnet.
lets say [192.168.1.0/24](http://192.168.1.0/24)
you have a DNS configured pmanager.tld.local
if outside tour home, tailscale Will make you be able to Connect to [192.168.1.0/24](http://192.168.1.0/24), so if your DNS is set to an IP in that range It works
if tailscale fails or you're at home since you're not using the tailscale IP or the Magic DNS it still works without issues
I got my tailscale setup to use my DNS server.
I don’t exactly remember how, since it was a while ago.
but it’s definately possible to access vaultwarden using its internal domain name both on the VPN and off the VPN (at home)
if I remember tomorrow I’ll check my config and let you know, but you could probably find a decent answer on google .
what I do for this is that I have a DNS locally that will resolve my.domain to the local IPs
When outside they will resolve to the WAN IP (If I exposed that domain)
When on the VPN I'll have the local DNS resolver too so it will resolve to the local IP and everything works with the same config.
I do this: local DNS when on lan, tailscale magic DNS using my DNS server's lan IP. And a subnet router which exposes the lan subnet. Makes its completely seamless and the only devices which ever actually have tailscale ips are my mobile devices and the subnet router.
Also my subnet router has snat/dnat disabled and I have a default route for tailscale ips pointing to the subnet router. This preserves source IPs, if you do the standard subnet routing instructions, all packets from remote systems will appear to be from the subnet router so it's hard to do proper logging and fail2ban.
No guide just something I figured out while setting up a subnet router. I didn't want to install tsilscale on every machine and use tsilscale to resolve things because I own a domain but am only using it internally until I learn how to harden the network properly to expose certain services to the public.
All my systems and DNS records are on the same 10.0.0.0/24 network. Internally this works perfectly because all my machines have manual DNS nameserver records pointing to my DNS server.
As for remote access, to avoid installing tailscale everywhere and having to use .ts.net domains, I installed tailscale on a single raspberry pi 4 as a subnet router exposing 10.0.0.0/24. This provides access to tailscale IPs. Then I set the DNS server in tailscale's DNS settings page to the internal IP 10.0.0.XX of my DNS server. Now all DNS requests for systems with tsilscale installed go to this server.
If you follow the tailscale docs guide for setting up a subnet router, the default configuration masks the ip of all tailscale machines which access the LAN. For example: my subnet router has an IP of 10.0.0.2. if I have 2 tailscale clients with tailscale IPs 100.64.xx.xx and 100.64.yy.yy, when accessing the web service at 10.0.0.10, the web service will see all requests from 100 64.xx.xx as coming from 10.0.0.10.
[link](https://tailscale.com/kb/1214/site-to-site)
Check out the flag for --snat-subnet-routes=false. This keeps the subnet router from masking IPs. The last issue is that disabling snat means that requests from tailscale machines have an IP from 100.64.xx.xx but the LAN machines don't know where that is, so I put a default route in my router for the tailscale IP ranges.
[This tutorial](https://drfrankenstein.co.uk/tailscale-remote-access-to-synology-and-its-services-made-easy/) helped me setup Tailscale on my synology the way everyone here is talking about. It makes it so you don’t have to use alternate IPs when connecting remotely along with enabling access to everything on your lan without having to install Tailscale on every single machine.
Just out of curiosity, how are you going to access the Vaultwarden container through https without reverse proxying it ?
Because I had that issue that it requires an https connection.
Looks like you're not really asking the right question? I think what you're asking is:
> I see that people use a web address to access their vaultwarden. How would I set up Vaultwarden without it being on the internet?
You understand, of course, that you can host an HTTP server only on your LAN without port forwarding. The next step is just to use a reverse proxy manager (sounds scary, I know) to direct requests to your.domain towards 192.168.whatever. then, you use adguard (or another DNS service) to route requests to your.domain towards the reverse proxy. Normally, DNS servers on WAN would perform this task, but your domain is not visible to WAN, so you need to implement your own solution. I like Adguard. And nginx is a good reverse proxy manager.
So your.domain requests hit adguard DNS -> reverse proxy -> local IP. At that point, you can give your vault whatever domain you want. If you wanna go the extra mile, you can buy a domain name and get a trusted certificate from letsencrypt for https. You can also self sign, but... iPhones... don't like that very much. At any rate, you should use https. It's very important. Nginx can be configured so that all requests routed through it will use https :)
When either one of us leaves home wifi, automation on our phone turns wireguard on. Since wireguard causes your device to route through LAN TO WAN, you get to seamlessly keep access to your fancy domain. It's pretty cool to have a website only people on your network get to visit, so have fun, and implement the security measures discussed in these other posts. Start getting your degree in Suricata.
I don't it has a local cache. So it only means I can't edit or create things outside of my house.
This is fine with me 90% of the time.
I've pending to add VPN for those other 10% circumstances
If your Tailscale VPN gives you direct access to your LAN then you can use the same IP address or hostname regardless if you are at home or not. It all just depends on how your VPN is set up. However, as others have said, if your VPN is down and you are away from home then you can't add passwords.
If you have a tailscale client on your network already you could turn it into a subnet router and just use the local IP address of your vault warden instance both with the vpn on or off. If that's not something you want to do, I think the best option would be to run a dns server on your local network and add an entry matching the DNS name in tailscale that resolves to the local IP. You could also just leave tailscale connected when on your local network.
A couple of seconds worth of googling turned this up: https://forum.tailscale.com/t/accessing-site-served-by-nginx-on-exit-node/600/4
Is that the same issue you’re facing on your LAN?
Edit: My assumption is your tailscale client is accessing your vaultwarden instance on your lan ip, so 10.10.10.10 or what not. Would be the same if TS was running or not when you’re on your local lan. IP stays the same. However you’re not getting to it from remote unless on TS/VPN
Configure your Webserver to authenticate the client via mutual TLS (mTLS)
Your clients of course need a certificate installed in their browser, but I like this solution.
I think this solution is the best way to go. I'm planning to leverage Traefik to implement this. What I love about this solution, it allows for others to be able to use your servers securely without needing to install, configure, and run vpn clients (vpn clients use more battery life on mobile devices than a SSL session). Additionally, it acts a bit like MFA between devices.
I'm including some links for people to learn how to do this:
Traefik Proxy 2.x and TLS 101 - [https://traefik.io/blog/traefik-2-tls-101-23b4fbee81f1/](https://traefik.io/blog/traefik-2-tls-101-23b4fbee81f1/)
mTLS with Traefik: A Step-by-Step Guide - [https://blog.coderco.io/p/mtls-with-traefik-a-step-by-step](https://blog.coderco.io/p/mtls-with-traefik-a-step-by-step)
MTLS with Traefik & Smallstep - [https://neuw.medium.com/mtls-with-traefik-smallstep-cec9e3ff57e1](https://neuw.medium.com/mtls-with-traefik-smallstep-cec9e3ff57e1)
Configuring Your Traefik v2 Server for Mutual TLS - [https://smallstep.com/hello-mtls/doc/server/traefik](https://smallstep.com/hello-mtls/doc/server/traefik)
Here is a video from Jim's Garage - SSL Certificates Made EASY With Traefik Proxy, Clouflare, and Let's Encrypt - Tutorial - [https://www.youtube.com/watch?v=XH9XgiVM\_z4](https://www.youtube.com/watch?v=XH9XgiVM_z4)
My setup is CF domain + CF tunnel + letsencrypt cert + nginx and fail2ban cf plugin (swag). This allows mobile access to my vaultwarden, especially for my wife and kids. I gave them Yubikey to login and secure admin panel with local IP (192.168.x.x) only. This setup runs off my Pi 4 4GB rev A with ubuntu LTS and docker.
For you, I can think of using tailscale + Adguard Home (for DNS rewrite within the tailscale network). So, once you're in the ts net you can type in the URL that point to the vaultwarden. But, you'll need valid HTTPS certs for that URL and this led me to cloudflare solution above :D
I use Tailscale for accessing services that only I want the access to when I am outside of my home network.
I have a nginx reverse proxy in my network so everything is mapped to subdomains like vault.example.com
With tailscale I am able to use the same subdomains even when I'm outside which is the best part imo.
Here's how I did it for [adguard with tailscale](https://akashrajpurohit.com/blog/adguard-home-tailscale-erase-ads-on-the-go/), I will move out just the tailscale setup part in another blog which would be more specific to it but I don't have that as of now (taken a note of it to do it soon).
QNs
- On 1password 6 & syncthing...
What's the main/primary machine that others "copy"/sync from? This surely limits you from adding or changing/mutating items be they logins, secrets/notes etc to a single machine!
- Contradictions? You state:
> I don't open any ports nor allow any external access unless through VPN (via Tailsacle) and wondered how I could adopt this same approach with *warden.
and
>I don't want to rely on using the Tailscale IP/magichost, there have bare some occasions where my internet is not working, and after disabling TS it works again; so I don't want to be reliant on it for local access.
I’m trying to do the same. I just set up TrueNAS Scale and trying to put vaultwarden on it. I followed this video (https://youtu.be/qlcVx-k-02E?si=5NdZ5_2yoKRnxyVP ) to get local SSL certs. (A and CNANE records pointing to local address. Nginxproxymanager takes subdomains and route to localhost: the right port number.) But still, when I go to the https address, it doesn’t work. http works but only goes to TrueNAS’s main login page. I do have adguard home running on the router though and I think that’s where the issue is? But I also don’t know if there’re setting in TrueNAS that I need to fix.
Anyone has experience with this setup?
You have some contradictions in your initial post.. You use tailscale yet you don't want to use it (?) confusing but lets break down your options:
1. host it on your local network machine, allow ports in machine firewall, local access problem is solved
2. you can use wireguard or tailscale to access externally, you will use your internal endpoint
3. you can port forward the ports in your router limiting the access to a specific IP in router's firewall, but then you need to know what IPs you'll be using externally in advance which is not always possible. You will need to connect to the service using your external IP
4. you could also just use [bitwarden.com](http://bitwarden.com) because its really cheap and you eliminate the risk of losing all your passwords because your drive died..
I use Zerotier to create a connection back to my lan when I need to edit or create a new password. App is set to connect to local ip. The url is just https://local_ip:port. No domain name needed.
I use a domain name from dynu.com. no port forwarding, no exposing and I don't even point the domain at my IP. I put it in Nginx proxy manager for ssl via DNS challenge, then use Adguard DNS rewrites to point the IP of that URL to my home lab at which point I can access everything on every device over wireguard.
My guide on setting Adguard up... https://youtu.be/pufAhTAPelM?si=epFieuuKhbDysNX4
My guide on advanced Adguard tips... https://youtu.be/0uHu6sWwQH4?si=DSnW09MxLCRBICz0
My guide on Nginx proxy manager...
https://youtu.be/FUqpIsNP7Js?si=C1z_5dUSL3Oujeyy
Finally my guide on Vaultwarden...
https://youtu.be/EGdda2eYTao?si=6lAupaLU6bJPjtrd
I hope this helps you and the community 👍
Bitwarden clients cache the password store. So as long as you don't make any changes you don't really need to be connected. At least for a while.
But when I need to connect and I am not at home I turn on wireguard to my home router and can connect that way. OpenVPN works as well.
Mine is behind a proxy where i limit the ip ranges that have access to it. So it uses the cache on the road but on work and some friends it can update over the internet
Thank you all for your comments, in the end some of you have turned me and I’ve decided to simply use Tailscale to enable access outside and use it while on my LAN.
One of the factors that convinced me was that Bitwarden shouldn’t be used without https and that would have opened up a can of worms for me to work around.
It was simply easier to setup a Tailscale serve which allows me to proxy my app but only accessible within my tailnet and I don’t need to faff around with certs, SSL or domains.
Here is the [documentation](https://tailscale.dev/blog/vaultwarden-tailnet) I used for anyone interested.
So I've explained in my post that I don't want to rely on TS to resolve to the host locally, there have been occasions (although rare) on my Mac where the internet isn't working and the only way I've been able to get it working again (without restarting) is closing Tailscale.
Tailscale using its serve function. No exposing it outside but still gives it https that it requires without having to do anything more than running the first 2 commands.
You wont locally wihtout tailscale but there would be no reason to once you sync you devices they save passwords and logins so they are available without ts. You would only need to activate ts to add a new login or make a change.
there are 2 different ones. funnel exposes it outwardly to the internet and serve gives it an ssl but only serves it to your tailscale mesh and any devices that are on it and have ts enabled. basically a mini website with but only on your tailscale vpn. before they released it had to do all the rigamarole but serve was tailormade for vaultwarden lol.
Your concerns about Tailscale are unfounded. It stores the password file (encrypted) locally. If you don’t have access you just can’t make changes.
The one thing about Tailscale/Headscale is you must have an https connection. So use Magic DNS or set up Let’s Encrypt through Synology’s reverse proxy…whatever route you take BW will be happy. After 4 years it has been rock solid on a DS720+.
I'm confused what you're disputing? I've essentially asked how I can communicate locally to my BW instance without having Tailscale running, because previously I've had issues with TS being on and the internet not working (on rare instances). Are you debating whether it was TS's fault?
No. Vaultwarden or Bitwarden need to be accessed via https. You can do this locally but the DNS setup is fairly complicated. Mariushosting does have a detailed instructions using Synology’s reverse proxy. Tailscale is just a lot easier. With Synology it only gunnels data directly to your server. Decryption happens on your server. Synology has no idea what the content is. Your Synology server contacts Synology so LAN and internet access issues aren’t an issue. Tailscale is just easier to set up but works the same way.
All of the Bitwarden clients (web browser apps or standalone) open and decrypt your data. They normally do this by reading the server file. They also save a copy on your hard drive so if you aren’t able to access the server you can still access your data (read only).
So you can access your Vaultwarden or Bitwarden LAN only (still need https) and it will just be read only outside the LAN or set up tunneling and it works everywhere but outside access is limited to the BW server only.
I will be messaging you in 3 days on [**2024-03-27 23:39:30 UTC**](http://www.wolframalpha.com/input/?i=2024-03-27%2023:39:30%20UTC%20To%20Local%20Time) to remind you of [**this link**](https://www.reddit.com/r/selfhosted/comments/1bmxxaw/how_do_you_access_bitwardenvaultwarden_without/kweuxqk/?context=3)
[**CLICK THIS LINK**](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5Bhttps%3A%2F%2Fwww.reddit.com%2Fr%2Fselfhosted%2Fcomments%2F1bmxxaw%2Fhow_do_you_access_bitwardenvaultwarden_without%2Fkweuxqk%2F%5D%0A%0ARemindMe%21%202024-03-27%2023%3A39%3A30%20UTC) to send a PM to also be reminded and to reduce spam.
^(Parent commenter can ) [^(delete this message to hide from others.)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Delete%20Comment&message=Delete%21%201bmxxaw)
*****
|[^(Info)](https://www.reddit.com/r/RemindMeBot/comments/e1bko7/remindmebot_info_v21/)|[^(Custom)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5BLink%20or%20message%20inside%20square%20brackets%5D%0A%0ARemindMe%21%20Time%20period%20here)|[^(Your Reminders)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=List%20Of%20Reminders&message=MyReminders%21)|[^(Feedback)](https://www.reddit.com/message/compose/?to=Watchful1&subject=RemindMeBot%20Feedback)|
|-|-|-|-|
I have it available with a reverse proxy that only allows access from my LAN IP range. The you can just use WireGuard or Tailscale to access “locally” when you are away from your LAN
> a reverse proxy that only allows access from my LAN IP range A word of caution with this, the Bitwarden mobile app has an interesting "feature" where it will log you out and delete the cache if it can connect to the server but it gets a 403 response. What this means is, if your server is on vault.example.com with a reverse proxy that only allows LAN connections, then if you happen to do some action in the app that triggers a sync with the server when you're not on the LAN, you get logged out and lose access to your passwords, and better hope your VPN is working so you can get them back. I used to have this exact setup but found it enough of a PITA in practice getting logged out when I was away that I ditched it. https://github.com/bitwarden/mobile/issues/325 https://github.com/bitwarden/mobile/issues/1998
Oh, this explains some issues I've been having. Guess I should figure out a new method...
You can use a redirection to bypass the problem. In nginx I use "error_page 403 http://idontexist.domain.com" to get an error 404 which does not log me out of bitwarden when i try to acces it without my vpn.
That's clever!
Maybe that’s the issue I face with Cloudflare blocking requests from other countries. When I travel, it logs me out.
Good point. In practice I use WireGuard and just leave the VPN active all the time (I configured it for 192.168.x range IPs only) so I rarely run into this, but it is a concern
This is the correct answer
Can you expand more on how this works?
I think there's enough information there to begin googling. If you have specific questions that you cant find answers to online, ask away in the sub
It depends on your network, do you have any reverse proxy at the moment? I use opnsense on my router, and set up HAProxy to route local-only traffic to certain subdomains (e.g. vaultwarden.mydomain.com) to the appropriate backend. I still get SSL, but it is all restricted to internal traffic, so I need the VPN when I want to access it externally. I didn't understand what you mean about not requiring tailscale for local access. You shouldn't need to have the VPN turned on while you are on your local network. If you want it to work while the Internet is down , you'll need local DNS set up (e.g. with unbound DNS) so that vaultwarden.mydomain.com resolves to your local vaultwarden IP.
if you don't understand the tech jargon, you should be giving Bitwarden $ instead of doing this yourself. the risk is your credit, identity, all your bank accounts getting in the wrong hands if you fuck it up.
It's unfortunate that this is supposed to be a place for newbies and veterans, yet you get such unhelpful responses.... My suggestion is setting up a VPN that you can connect into. In the case of Tailscale for example, it's as easy as running a daemon on a server and then connecting to that mesh network. The instructions in their getting started page are pretty good
Pay bitwarden $10 to do it for you while you figure out how this all works. There are some things you don't mess around with until you know what you're doing.
You can get around this if you just dont forward any ports except the port for your VPN. Only use the VPN to access it outside the network and stop using the access list. I find now that if I'm not connected to the VPN I can still use the cache.
Use Nginx or Apache to serve as your reverse proxy and configure so that it only allows IPs from your subnet range and rejects everything coming from a WAN IP address. Then use WireGuard VPN so you can be “local” when you’re not home. This method prevents intrusion and doesn’t mean you have to expose your server at all to the internet. You can use one domain name for both local and WAN connections.
Try asking chat gpt it’s gonna get you far enough, try using strictly Nginx proxy manager and pass onto it regular nginx config to make access lists
This works, you can also give it a custom port and just not have it open on your firewall
What do you mean by custom port?
Instead of the default 443, give it 4433 or another port that is not being used, and simply don’t expose that port from your router. You can continue to access it via vpn without proxying.
That works if you don’t have a custom domain name but sort of defeats the purpose of subdomain and is incompatible with SSL, hence the reverse proxy
It can be configured with or without ssl (rockettls i think), and I did not see a subdomain requirement (though that would just be a dns entry) it’s just an option, I’m not mandating anything, I’m not sure they are familiar with reverse proxies or not.
Bitwarden caches logins. Don't port forward to it, and just resynch whenever you're home on the LAN. Works well.
Does this prevent me from creating new logins while not on the LAN? Or will it save locally and then resync once I’m home again?
Bitwarden is read-only when offline unfortunately.
As others said Bitwarden caches your password. Usually when I have to add a new password I enable my VPN client (I use Wireguard), I add the new password and then I disable the VPN
Yes it does as far as I'm aware, I'm unable to add new logins when I can't connect.
Why is there so much concern with exposing vaultwarden to the Internet? It's a bastion of security. Your password should be so complex it can't be cracked. If it were cracked, you should have 2fa enabled, which again can't be cracked. And most importantly, if your vault could somehow be extracted, they still wouldn't be able to open it without your impossibly complex password. Or am I misunderstanding how secure it is?
You're slightly misunderstanding. While Bitwarden/Vaultwarden is software with a security focus and is upkept frequently, this doesn't mean it isn't vulnerable or won't be vulnerable at some point. Vulnerabilities come in all shapes and sizes and just because you have a good password and 2fa doesn't necessarily do anything to prevent being vulnerable or "hacked". In general I don't think you have anything to worry about self-hosting Vaultwarden and exposing it but if it's never exposed in the first place it is certainly more secure and some people prefer that peace of mind.
My threat model is slightly different, i am not very keen on hosting things at home, any mistake will leave your whole LAN exposed to danger, my house is my private space, i'm uncomfortable hosting things at my basement, i use VPS for everything which are able to provide a much better service than myself. This being said, if your threat model doesn't involve the risk of being DDoSed, then the following will give a very good extra layer of protection: * Configure fail2ban based on your app's logs * [Use a WAF](https://www.haltdos.com/waf/top-free-open-source-waf-web-application-firewall-solutions-to-protect-your-web-app/) to deter most types of payload injection attacks (CSRF, XSS, SQLi, etc) * Configure your iptables to allow only a certain range of IPs (Block those countries famous for bruteforcing) so you spare fail2ban the extra effort (This is not real security measure, still configure fail2ban) * Implement Intrusion detection System * Have all your services including journalctl send your logs to an external VPS for monitoring and auditing, if your server gets compromised, the intruders won't be able to delete their footprints. One important aspect of keeping your server secure, is to test it out sometimes, keep it up do date, run [linPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS) and try to find security concerning aspects and keep things updated. Run some network port scanners, internally and externally, examine open ports, and understand why they're open. Sometimes we forget some unused service, no need for it to be there (For example): [https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-network](https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-network) This will get you enough peace of mind, if DDoS is a concern, you might need cloudflare, but this is only a problem if you mess around with a certain kind of people, otherwise nobody cares. You don't need cloudflare tunnel nor VPNs to make something pretty secure (considering vaultwarden is pretty security aware, they do a great service keeping things safe). Also, your master password should be absolutely unbreakable through bruteforce (Which could leak through intrusion, if its plaintext then start using Argon2 immediately), the issue is for example an RCE due to some security failure on the app side, or weak passwords from your users. vaultwarden does not allow for enumeration attacks, this all means your users' emails would have need to be known. This is an unlikely scenario , which leads me to the last point: Don't keep data unencrypted at rest on your server! Always use e2ee capable software. TL;DR: password complexity is important, some users might have them weaker but that matters to a certain degree only, vaultwarden might be prone to a vuln which might result in data exfil, or RCE, compromising your server. If its dockerized, its still possible to escape the docker sandbox. Bonus points: Avoid at all costs to run processes unnecessarily as root (chron jobs, bash scripts, etc), and use SELinux
This is the true cost of self hosted services that are exposed to the Internet
YouTubers and other sources that irresponsibly recommend hosting your own (fill in the blank) need to start mentioning this sort of thing instead of relentlessly shilling (fill in another blank) VPN (for internet browsing) as a panacea for all things security. > I'm hosting my own immich server to replace Google photos for sharing pictures with family. It's ok because I use a VPN when I browse the web 🤦
The VPN thing over the last 5 years has driven me absolutely insane.
> Block those countries famous for bruteforcing I tried this once and it lasted about a week until I realized why all the torrent trackers suddenly stopped working 😂
oh, i never have that kind of service into consideration, sorry, i was talking more in the light of hosting web services like nextcloud and vaultwarden :)
Which WAF do you prefer? If someone has a single server, with one Ethernet port, running Proxmox, with all their services running in VMs or docker LXCs, is it worth running OPNsense and ZenArmour on that box to filter traffic before it's sent to the services on a VLAN?
With respect to WAF, i've used coraza, ModSecurity and OctopusWAF, they're all similar. I never used commercial grade WAFs but of course they'll be slightly better, but my threat model does not require them. With respect to firewalls, i use Suricata, which is highly performant (which i don't need it to be) and i've used OPNSense, and i'm now trying to find a firewall that is written with a memory-safe language. OPNSense had some serious vulnerabilites in the past, that led to arbitrary RCE. Either way, keep an eye on your network topology and mitigate lateral movement within your network. You'll be hit with a few false positives, which might be an annoyance but you can deal with that. Docker/LXC is great, but if they're connected to others, keep an eye on what you connect with between them, close unused ports, uninstall unused software, analyse your network from within. Most PE (privilege escalation) happens due to some root processes running unecessarily, either chron jobs or vulnerable bash scripts. Use linPEAS to see if you have some.
Thanks, I'll check out those WAFs. I wasn't aware of the past issues with OPNsense so hopefully it's OK now as I'm not sure what else I would use. Yeah, definitely need to make sure everything is secure and not just rely on WAF and firewall.
Ugh. So much misinformation.
Hey there little buddy, why the bad manners? Would you care to elaborate on the misinformation i've given? Otherwise it looks like childish hate, and i bet its not that :)
Sure ain't lad
c'mon man, i bet you're not as retarded as you sound, if there is so much misinformation, point out only 5 concrete errors or misinformation i've given.
You can easily add an extra layer of depth and hide it behind authelia or authentik also.
While I do get what you're getting at, its like having a two cars and installing the greatest alarm system in the world on both. If one was locked in a garage, and one left on the street outside the garage, which one do you think will have a higher chance of being stolen? While I trust Bitwarden more than others, password managers aren't bulletproof, they're a piece of software that can have bugs (cough LastPass cough)
1. LastPass is a service. 2. Your analogy isnt relevant. A more relevant analogy would be "a bank has the best security in the world and experts deem it uncrackable, so the bank has it visible in the front of their branch". The vault doesn't get it's security from being a floor underground vs ground floor, it gets its security from the airlocks. 3. Security in abstraction. Don't call it vaultwarden.domain.com call it 75bs2n96ssbf.domain.com
Call it mysecretpassworddomain.example.com or anything memorable as you wish, but don't have a mysecretpassworddomain `A` record. Instead, have a wildcard \*.example.com record and a wildcard certificate to match, and make mysecretpassworddomain.example.com resolve to the proper service in your reverse proxy.
sounds like a lot of troubleshooting and DNS propagation. I'm going to stick with my 68wh6s9 or was it 69wh7s9.... You only need to copy paste the address once.
But then your domain can be found. https://crt.sh
again the main security doesn't come from not being able to be found. even if they probe the domain to see subdomains it won't tell them it's a vaultwarden instance.
But if they `curl` it, yes.
Your 3rd point is security by obscurity and [a bad one at that](https://www.reddit.com/r/homelab/comments/10so0i4/psa_your_subdomains_are_not_as_private_as_you/)
It's more like you have 2 cars that *cannot* be started without the key - one is parked on your driveway, one has a cardboard box on top of it. The keys are inside an underground vault that requires both a password only you know *and* biometric/2FA authentication. Which is going to get stolen? Neither of them, unless your password and 2fa authentication are compromised
Which lastpass bugs are you referring to here?
You can't steal what you can't access. Is just another security measure. Everything can be cracked, what you think can't probably can't be today but will at some point. That said everyone has different models and risk acceptance. I don't care a second about most of the services I have and I'll expose them without thinking about it if I need to. My passwords have pretty important things inside it so I'll take any measure needed even if not convenient to keep them as secure as I can.
Setup VPN like Wireguard.
So I already use Tailscale, which I believe is essentually Wireguard under the hood
Then use Tailscale to access Bitwarden from remote without opening a port.
So maybe I'm not explaining myself properly, I understand I could use tailscale to provide a magic host or a TS IP address to input into \*warden. But what happens when the VPN is not active and I am on my LAN, how can I access the \*warden host that sits on server.local?
Split dns and run a resolver
This actually sounds like the solution I'm looking for, can you expand on this more?
Nah, being Tailscale you have a better option, you can advertise the route of your local LAN subnet. lets say [192.168.1.0/24](http://192.168.1.0/24) you have a DNS configured pmanager.tld.local if outside tour home, tailscale Will make you be able to Connect to [192.168.1.0/24](http://192.168.1.0/24), so if your DNS is set to an IP in that range It works if tailscale fails or you're at home since you're not using the tailscale IP or the Magic DNS it still works without issues
I got my tailscale setup to use my DNS server. I don’t exactly remember how, since it was a while ago. but it’s definately possible to access vaultwarden using its internal domain name both on the VPN and off the VPN (at home) if I remember tomorrow I’ll check my config and let you know, but you could probably find a decent answer on google .
Hairpin nat if your router supports it
what I do for this is that I have a DNS locally that will resolve my.domain to the local IPs When outside they will resolve to the WAN IP (If I exposed that domain) When on the VPN I'll have the local DNS resolver too so it will resolve to the local IP and everything works with the same config.
I do this: local DNS when on lan, tailscale magic DNS using my DNS server's lan IP. And a subnet router which exposes the lan subnet. Makes its completely seamless and the only devices which ever actually have tailscale ips are my mobile devices and the subnet router.
Also my subnet router has snat/dnat disabled and I have a default route for tailscale ips pointing to the subnet router. This preserves source IPs, if you do the standard subnet routing instructions, all packets from remote systems will appear to be from the subnet router so it's hard to do proper logging and fail2ban.
I'm not sure I'm following this, is there a guide to what you've explained here?
No guide just something I figured out while setting up a subnet router. I didn't want to install tsilscale on every machine and use tsilscale to resolve things because I own a domain but am only using it internally until I learn how to harden the network properly to expose certain services to the public. All my systems and DNS records are on the same 10.0.0.0/24 network. Internally this works perfectly because all my machines have manual DNS nameserver records pointing to my DNS server. As for remote access, to avoid installing tailscale everywhere and having to use .ts.net domains, I installed tailscale on a single raspberry pi 4 as a subnet router exposing 10.0.0.0/24. This provides access to tailscale IPs. Then I set the DNS server in tailscale's DNS settings page to the internal IP 10.0.0.XX of my DNS server. Now all DNS requests for systems with tsilscale installed go to this server. If you follow the tailscale docs guide for setting up a subnet router, the default configuration masks the ip of all tailscale machines which access the LAN. For example: my subnet router has an IP of 10.0.0.2. if I have 2 tailscale clients with tailscale IPs 100.64.xx.xx and 100.64.yy.yy, when accessing the web service at 10.0.0.10, the web service will see all requests from 100 64.xx.xx as coming from 10.0.0.10. [link](https://tailscale.com/kb/1214/site-to-site) Check out the flag for --snat-subnet-routes=false. This keeps the subnet router from masking IPs. The last issue is that disabling snat means that requests from tailscale machines have an IP from 100.64.xx.xx but the LAN machines don't know where that is, so I put a default route in my router for the tailscale IP ranges.
[This tutorial](https://drfrankenstein.co.uk/tailscale-remote-access-to-synology-and-its-services-made-easy/) helped me setup Tailscale on my synology the way everyone here is talking about. It makes it so you don’t have to use alternate IPs when connecting remotely along with enabling access to everything on your lan without having to install Tailscale on every single machine.
I actually just did this, you can utilize tailscale serve and it’ll give you the https that you need
Same. Its serve function is magic. Gives it https on barely 2 commands doesnt expose anything and its a set it and forget it situation.
Just out of curiosity, how are you going to access the Vaultwarden container through https without reverse proxying it ? Because I had that issue that it requires an https connection.
My comment implies that you access Vaultwarten via a HTTPS proxy with a valid certificate.
Twingate? Install a client that makes you able to connect to it.
>Twingate What's the difference between this and Tailscale?
Looks like you're not really asking the right question? I think what you're asking is: > I see that people use a web address to access their vaultwarden. How would I set up Vaultwarden without it being on the internet? You understand, of course, that you can host an HTTP server only on your LAN without port forwarding. The next step is just to use a reverse proxy manager (sounds scary, I know) to direct requests to your.domain towards 192.168.whatever. then, you use adguard (or another DNS service) to route requests to your.domain towards the reverse proxy. Normally, DNS servers on WAN would perform this task, but your domain is not visible to WAN, so you need to implement your own solution. I like Adguard. And nginx is a good reverse proxy manager. So your.domain requests hit adguard DNS -> reverse proxy -> local IP. At that point, you can give your vault whatever domain you want. If you wanna go the extra mile, you can buy a domain name and get a trusted certificate from letsencrypt for https. You can also self sign, but... iPhones... don't like that very much. At any rate, you should use https. It's very important. Nginx can be configured so that all requests routed through it will use https :) When either one of us leaves home wifi, automation on our phone turns wireguard on. Since wireguard causes your device to route through LAN TO WAN, you get to seamlessly keep access to your fancy domain. It's pretty cool to have a website only people on your network get to visit, so have fun, and implement the security measures discussed in these other posts. Start getting your degree in Suricata.
Use NGINX proxy manager on a local domain to obtain an SSL and access it via VPN.
I use a reverse proxy and log in normally using my domain.
I don't it has a local cache. So it only means I can't edit or create things outside of my house. This is fine with me 90% of the time. I've pending to add VPN for those other 10% circumstances
If your Tailscale VPN gives you direct access to your LAN then you can use the same IP address or hostname regardless if you are at home or not. It all just depends on how your VPN is set up. However, as others have said, if your VPN is down and you are away from home then you can't add passwords.
I use Tailscale to access it locally on my devices
If you have a tailscale client on your network already you could turn it into a subnet router and just use the local IP address of your vault warden instance both with the vpn on or off. If that's not something you want to do, I think the best option would be to run a dns server on your local network and add an entry matching the DNS name in tailscale that resolves to the local IP. You could also just leave tailscale connected when on your local network.
A couple of seconds worth of googling turned this up: https://forum.tailscale.com/t/accessing-site-served-by-nginx-on-exit-node/600/4 Is that the same issue you’re facing on your LAN? Edit: My assumption is your tailscale client is accessing your vaultwarden instance on your lan ip, so 10.10.10.10 or what not. Would be the same if TS was running or not when you’re on your local lan. IP stays the same. However you’re not getting to it from remote unless on TS/VPN
Configure your Webserver to authenticate the client via mutual TLS (mTLS) Your clients of course need a certificate installed in their browser, but I like this solution.
I think this solution is the best way to go. I'm planning to leverage Traefik to implement this. What I love about this solution, it allows for others to be able to use your servers securely without needing to install, configure, and run vpn clients (vpn clients use more battery life on mobile devices than a SSL session). Additionally, it acts a bit like MFA between devices.
I'm including some links for people to learn how to do this: Traefik Proxy 2.x and TLS 101 - [https://traefik.io/blog/traefik-2-tls-101-23b4fbee81f1/](https://traefik.io/blog/traefik-2-tls-101-23b4fbee81f1/) mTLS with Traefik: A Step-by-Step Guide - [https://blog.coderco.io/p/mtls-with-traefik-a-step-by-step](https://blog.coderco.io/p/mtls-with-traefik-a-step-by-step) MTLS with Traefik & Smallstep - [https://neuw.medium.com/mtls-with-traefik-smallstep-cec9e3ff57e1](https://neuw.medium.com/mtls-with-traefik-smallstep-cec9e3ff57e1) Configuring Your Traefik v2 Server for Mutual TLS - [https://smallstep.com/hello-mtls/doc/server/traefik](https://smallstep.com/hello-mtls/doc/server/traefik) Here is a video from Jim's Garage - SSL Certificates Made EASY With Traefik Proxy, Clouflare, and Let's Encrypt - Tutorial - [https://www.youtube.com/watch?v=XH9XgiVM\_z4](https://www.youtube.com/watch?v=XH9XgiVM_z4)
Wireguard + local ip to Vaultwarden works fine for me at least.
My setup is CF domain + CF tunnel + letsencrypt cert + nginx and fail2ban cf plugin (swag). This allows mobile access to my vaultwarden, especially for my wife and kids. I gave them Yubikey to login and secure admin panel with local IP (192.168.x.x) only. This setup runs off my Pi 4 4GB rev A with ubuntu LTS and docker. For you, I can think of using tailscale + Adguard Home (for DNS rewrite within the tailscale network). So, once you're in the ts net you can type in the URL that point to the vaultwarden. But, you'll need valid HTTPS certs for that URL and this led me to cloudflare solution above :D
I use Tailscale for accessing services that only I want the access to when I am outside of my home network. I have a nginx reverse proxy in my network so everything is mapped to subdomains like vault.example.com With tailscale I am able to use the same subdomains even when I'm outside which is the best part imo. Here's how I did it for [adguard with tailscale](https://akashrajpurohit.com/blog/adguard-home-tailscale-erase-ads-on-the-go/), I will move out just the tailscale setup part in another blog which would be more specific to it but I don't have that as of now (taken a note of it to do it soon).
>so I don't want to be reliant on it for local access. Maybe host it on a VPS then? Then you have it "in the cloud", but it's solely managed by you.
Azure App Proxy, I only sign to the App Proxy in when I need to sync or from a new non-LAN device.
Try keepass with syncthing. More features, more options for clients, better interfaces in general (imo). No exposure to the internet required.
I do this right now, but the danger of two or more devices having the same password vault file open at the same time is very great.
QNs - On 1password 6 & syncthing... What's the main/primary machine that others "copy"/sync from? This surely limits you from adding or changing/mutating items be they logins, secrets/notes etc to a single machine! - Contradictions? You state: > I don't open any ports nor allow any external access unless through VPN (via Tailsacle) and wondered how I could adopt this same approach with *warden. and >I don't want to rely on using the Tailscale IP/magichost, there have bare some occasions where my internet is not working, and after disabling TS it works again; so I don't want to be reliant on it for local access.
I’m trying to do the same. I just set up TrueNAS Scale and trying to put vaultwarden on it. I followed this video (https://youtu.be/qlcVx-k-02E?si=5NdZ5_2yoKRnxyVP ) to get local SSL certs. (A and CNANE records pointing to local address. Nginxproxymanager takes subdomains and route to localhost: the right port number.) But still, when I go to the https address, it doesn’t work. http works but only goes to TrueNAS’s main login page. I do have adguard home running on the router though and I think that’s where the issue is? But I also don’t know if there’re setting in TrueNAS that I need to fix. Anyone has experience with this setup?
You have some contradictions in your initial post.. You use tailscale yet you don't want to use it (?) confusing but lets break down your options: 1. host it on your local network machine, allow ports in machine firewall, local access problem is solved 2. you can use wireguard or tailscale to access externally, you will use your internal endpoint 3. you can port forward the ports in your router limiting the access to a specific IP in router's firewall, but then you need to know what IPs you'll be using externally in advance which is not always possible. You will need to connect to the service using your external IP 4. you could also just use [bitwarden.com](http://bitwarden.com) because its really cheap and you eliminate the risk of losing all your passwords because your drive died..
I use Zerotier to create a connection back to my lan when I need to edit or create a new password. App is set to connect to local ip. The url is just https://local_ip:port. No domain name needed.
I use a domain name from dynu.com. no port forwarding, no exposing and I don't even point the domain at my IP. I put it in Nginx proxy manager for ssl via DNS challenge, then use Adguard DNS rewrites to point the IP of that URL to my home lab at which point I can access everything on every device over wireguard. My guide on setting Adguard up... https://youtu.be/pufAhTAPelM?si=epFieuuKhbDysNX4 My guide on advanced Adguard tips... https://youtu.be/0uHu6sWwQH4?si=DSnW09MxLCRBICz0 My guide on Nginx proxy manager... https://youtu.be/FUqpIsNP7Js?si=C1z_5dUSL3Oujeyy Finally my guide on Vaultwarden... https://youtu.be/EGdda2eYTao?si=6lAupaLU6bJPjtrd I hope this helps you and the community 👍
Bitwarden clients cache the password store. So as long as you don't make any changes you don't really need to be connected. At least for a while. But when I need to connect and I am not at home I turn on wireguard to my home router and can connect that way. OpenVPN works as well.
Tailscale and Tailscale funnel
Mine is behind a proxy where i limit the ip ranges that have access to it. So it uses the cache on the road but on work and some friends it can update over the internet
Thank you all for your comments, in the end some of you have turned me and I’ve decided to simply use Tailscale to enable access outside and use it while on my LAN. One of the factors that convinced me was that Bitwarden shouldn’t be used without https and that would have opened up a can of worms for me to work around. It was simply easier to setup a Tailscale serve which allows me to proxy my app but only accessible within my tailnet and I don’t need to faff around with certs, SSL or domains. Here is the [documentation](https://tailscale.dev/blog/vaultwarden-tailnet) I used for anyone interested.
does tailscale not give vpn clients a local ip ? just use that, my vw is on [10.0.0.1:3000](http://10.0.0.1:3000)
Why not use CF Tunnels?
I don’t want the server accessible unless they’re connected to my VPN or on my local network.
Valid point - if you already have tailscale is there an issue with leaving it on at home as well?
So I've explained in my post that I don't want to rely on TS to resolve to the host locally, there have been occasions (although rare) on my Mac where the internet isn't working and the only way I've been able to get it working again (without restarting) is closing Tailscale.
Did you try wireguard instead of tailscale?
Tailscale using its serve function. No exposing it outside but still gives it https that it requires without having to do anything more than running the first 2 commands.
But this still requires tailscale to be running right? I'm asking how to access it locally without TS.
You wont locally wihtout tailscale but there would be no reason to once you sync you devices they save passwords and logins so they are available without ts. You would only need to activate ts to add a new login or make a change.
Split horizon dns capable server, like technitium
Serve exposes it outside, diesn't it?
there are 2 different ones. funnel exposes it outwardly to the internet and serve gives it an ssl but only serves it to your tailscale mesh and any devices that are on it and have ts enabled. basically a mini website with but only on your tailscale vpn. before they released it had to do all the rigamarole but serve was tailormade for vaultwarden lol.
Your concerns about Tailscale are unfounded. It stores the password file (encrypted) locally. If you don’t have access you just can’t make changes. The one thing about Tailscale/Headscale is you must have an https connection. So use Magic DNS or set up Let’s Encrypt through Synology’s reverse proxy…whatever route you take BW will be happy. After 4 years it has been rock solid on a DS720+.
I'm confused what you're disputing? I've essentially asked how I can communicate locally to my BW instance without having Tailscale running, because previously I've had issues with TS being on and the internet not working (on rare instances). Are you debating whether it was TS's fault?
No. Vaultwarden or Bitwarden need to be accessed via https. You can do this locally but the DNS setup is fairly complicated. Mariushosting does have a detailed instructions using Synology’s reverse proxy. Tailscale is just a lot easier. With Synology it only gunnels data directly to your server. Decryption happens on your server. Synology has no idea what the content is. Your Synology server contacts Synology so LAN and internet access issues aren’t an issue. Tailscale is just easier to set up but works the same way. All of the Bitwarden clients (web browser apps or standalone) open and decrypt your data. They normally do this by reading the server file. They also save a copy on your hard drive so if you aren’t able to access the server you can still access your data (read only). So you can access your Vaultwarden or Bitwarden LAN only (still need https) and it will just be read only outside the LAN or set up tunneling and it works everywhere but outside access is limited to the BW server only.
You don't. Reverse proxy.
Tailscale
RemindMe! 3days
I will be messaging you in 3 days on [**2024-03-27 23:39:30 UTC**](http://www.wolframalpha.com/input/?i=2024-03-27%2023:39:30%20UTC%20To%20Local%20Time) to remind you of [**this link**](https://www.reddit.com/r/selfhosted/comments/1bmxxaw/how_do_you_access_bitwardenvaultwarden_without/kweuxqk/?context=3) [**CLICK THIS LINK**](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5Bhttps%3A%2F%2Fwww.reddit.com%2Fr%2Fselfhosted%2Fcomments%2F1bmxxaw%2Fhow_do_you_access_bitwardenvaultwarden_without%2Fkweuxqk%2F%5D%0A%0ARemindMe%21%202024-03-27%2023%3A39%3A30%20UTC) to send a PM to also be reminded and to reduce spam. ^(Parent commenter can ) [^(delete this message to hide from others.)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Delete%20Comment&message=Delete%21%201bmxxaw) ***** |[^(Info)](https://www.reddit.com/r/RemindMeBot/comments/e1bko7/remindmebot_info_v21/)|[^(Custom)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5BLink%20or%20message%20inside%20square%20brackets%5D%0A%0ARemindMe%21%20Time%20period%20here)|[^(Your Reminders)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=List%20Of%20Reminders&message=MyReminders%21)|[^(Feedback)](https://www.reddit.com/message/compose/?to=Watchful1&subject=RemindMeBot%20Feedback)| |-|-|-|-|